STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-221129r622190_rule
V-221129
SRG-NET-000193-RTR-000113
CISC-RT-000760
CAT III
10
Configure a QoS policy in accordance with the QoS GIG Technical Profile.
Step 1: Configure class-maps to match on DSCP values as shown in the configuration example below:
SW1(config-cmap)# class-map match-all C2_VOICE
SW1(config-cmap)# match ip dscp 47
SW1(config-cmap)# class-map match-all VOICE
SW1(config-cmap)# match ip dscp ef
SW1(config-cmap)# class-map match-all VIDEO
SW1(config-cmap)# match ip dscp af41
SW1(config-cmap)# class-map match-all CONTROL_PLANE
SW1(config-cmap)# match ip dscp cs6
SW1(config-cmap)# class-map match-all PREFERRED_DATA
SW1(config-cmap)# match ip dscp af33
SW1(config-cmap)# exit
Step 2: Configure a policy map to be applied to the interfaces that reserves the bandwidth for each traffic type as shown in the example below:
SW1(config)# policy-map QOS_POLICY
SW1(config-pmap-c)# class C2_VOICE
SW1(config-pmap-c)# priority percent 10
SW1(config-pmap-c)# class VOICE
SW1(config-pmap-c)# priority percent 15
SW1(config-pmap-c)# class VIDEO
SW1(config-pmap-c)# bandwidth percent 25
SW1(config-pmap)# class CONTROL_PLANE
SW1(config-pmap-c)# priority percent 10
SW1(config-pmap-c)# class PREFERRED_DATA
SW1(config-pmap-c)# bandwidth percent 25
SW1(config-pmap-c)# class class-default
SW1(config-pmap-c)# bandwidth percent 15
SW1(config-pmap-c)# exit
SW1(config-pmap)# exit
Step 3: Apply the output service policy to all interfaces as shown in the configuration example below:
SW1(config)# int e1/1
SW1(config-if)# service-policy output QOS_POLICY
SW1(config-if)# exit
SW1(config)# int e1/2
SW1(config-if)# service-policy output QOS_POLICY
SW1(config-if)# end
Review the switch configuration and verify that a QoS policy has been configured to provide preferred treatment for mission-critical applications in accordance with the QoS DoDIN Technical Profile.
Step 1: Verify that the class-maps are configured to match on DSCP values as shown in the configuration example below:
class-map match-all C2_VOICE
match ip dscp af47
class-map match-all VOICE
match ip dscp ef
class-map match-all VIDEO
match ip dscp af41
class-map match-all CONTROL_PLANE
match ip dscp cs6
class-map match-all PREFERRED_DATA
match ip dscp af33
Step 2: Verify that the policy map reserves the bandwidth for each traffic type as shown in the example below:
policy-map QOS_POLICY
class C2_VOICE
priority percent 10
class VOICE
priority percent 15
class VIDEO
bandwidth percent 25
class CONTROL_PLANE
priority percent 10
class PREFERRED_DATA
bandwidth percent 25
class class-default
bandwidth percent 15
Step 3: Verify that an output service policy is bound to all interface as shown in the configuration example below:
interface Ethernet1/1
ip address 10.1.15.1/30
service-policy output QOS_POLICY
!
interface Ethernet1/2
ip address 10.1.15.4/30
service-policy output QOS_POLICY
Note: Enclaves must mark or re-mark their traffic to be consistent with the DoDIN backbone admission criteria to gain the appropriate level of service. A general DiffServ principle is to mark or trust traffic as close to the source as administratively and technically possible. However, certain traffic types might need to be re-marked before handoff to the DoDIN backbone to gain admission to the correct class. If such re-marking is required, it is recommended that the re-marking be performed at the CE egress edge.
Note: The GTP QOS document (GTP-0009) can be downloaded via the following link:
https://intellipedia.intelink.gov/wiki/Portal:GIG_Technical_Guidance/GTG_GTPs/GTP_Development_List
If the switch is not configured to enforce a QoS policy in accordance with the QoS GIG Technical Profile, this is a finding.
V-221129
False
CISC-RT-000760
Review the switch configuration and verify that a QoS policy has been configured to provide preferred treatment for mission-critical applications in accordance with the QoS DoDIN Technical Profile.
Step 1: Verify that the class-maps are configured to match on DSCP values as shown in the configuration example below:
class-map match-all C2_VOICE
match ip dscp af47
class-map match-all VOICE
match ip dscp ef
class-map match-all VIDEO
match ip dscp af41
class-map match-all CONTROL_PLANE
match ip dscp cs6
class-map match-all PREFERRED_DATA
match ip dscp af33
Step 2: Verify that the policy map reserves the bandwidth for each traffic type as shown in the example below:
policy-map QOS_POLICY
class C2_VOICE
priority percent 10
class VOICE
priority percent 15
class VIDEO
bandwidth percent 25
class CONTROL_PLANE
priority percent 10
class PREFERRED_DATA
bandwidth percent 25
class class-default
bandwidth percent 15
Step 3: Verify that an output service policy is bound to all interface as shown in the configuration example below:
interface Ethernet1/1
ip address 10.1.15.1/30
service-policy output QOS_POLICY
!
interface Ethernet1/2
ip address 10.1.15.4/30
service-policy output QOS_POLICY
Note: Enclaves must mark or re-mark their traffic to be consistent with the DoDIN backbone admission criteria to gain the appropriate level of service. A general DiffServ principle is to mark or trust traffic as close to the source as administratively and technically possible. However, certain traffic types might need to be re-marked before handoff to the DoDIN backbone to gain admission to the correct class. If such re-marking is required, it is recommended that the re-marking be performed at the CE egress edge.
Note: The GTP QOS document (GTP-0009) can be downloaded via the following link:
https://intellipedia.intelink.gov/wiki/Portal:GIG_Technical_Guidance/GTG_GTPs/GTP_Development_List
If the switch is not configured to enforce a QoS policy in accordance with the QoS GIG Technical Profile, this is a finding.
M
4075